This post summarizes my study notes on the topic of ACI EPG
- EPG = End Point Group
- while creating an EPG, a bridge domain must be associated to it.
- an EPG can part of only one Bridge Domain at a time.
- On the APIC GUI, using the Topology tab: after dropping an EPG symbol in the window and configuring it, it will not be created unless you press the Submit button.
- Between EPGs all communication is denied. This is the default behaviour when you configure a VRF. That means that ACI acts like a firewall at line rate denying traffic between EPGs.
- Has the option to activate/deactivate Microsegmentation during the configuration menu of the EPG itself.
- Standard (or internal) EPG
- uSeg EPG (read further to know about them)
- external EPG:
- this is where we define the connection point to an external L2 or L3 Network.
- devices that we want to communicate with the external networks should be assigned the external EPG
- communication with the external networks is regulated by means of contracts.
- vzAny aka “All EPG”:
- a construct that represents all EPGs in a VRF.
- is useful to implement an “any-to-any” contract between all EPGs of a VRF as a way to emulate a blacklist model
- reduces policy CAM utilization when all EPGs in a VRF would consume/provide the same services
An EPG can also be categorized in terms of providing or consuming a contract:
- An EPG providing the “services” ist said to be a Provider of the contract, or Provider EPG.
- The EPG benefitting from the “services” ist said to be a Consumer of the contract, thus a Consumer EPG.
EPG and Domains
- Can be attached to one or more VMM Domains. In this case we say “we extend an EPG x to the VMM Domain y”
- When an EPG extends to a VMM Domain of type VMware, network segments called “Port Groups” will be automatically created on the vSphere Virtual Switch. The name of the Port Group will include the VMM Domain name and the EPG name. The VMware administrator will then have to manually assign VMs to Port Groups.